Re: West Yorkshire Police Virus

@All : I heard back from McAfee. Not the best of news - decryption might be possible but would be too time-consuming and expensive. What little I know about cryptography backs that up - unless you already have a shrewd idea of the method used for encryption you have to throw a lot of resources at the problem. I wonder if Dr.Web - a Russian outfit - have somehow managed to tap into the Russian-language underground forums and pick something up that gave them a clue? It's one of the things that Brian Krebs manages to do quite often, and researchers share information all the time, so it's possible.

Edit - Yes, yes, of course, as was pointed out to me, if you have a before- and after-infection file the decryption is easy enough provided that there has only been one encryption pass. There are ways to complicate the process so that you can't just do a simple transposition but they take longer and won't be used in most of the cases we're likely to see. I make no comment as to why in that case the file fix isn't being offered by McAfee. Perhaps it will be, if any of their business customers fall foul of this.

For the moment Dr.Web is the best bet for anyone with encrypted files - if, it must be said, you've got backup copies of at least some of them.

The Malakai material and the chats with the (supposed) authors of this ransomware will have to go into the blog. A pity that I'm not going to be around much for the next couple of days, but duty calls elsewhere. I'll catch up as and when I can.

Re: West Yorkshire Police Virus

Good news -- feeding that into matsnu1decrypt.exe was enough for it to decrypt all 300-odd affected files. (my daughter wasn't best pleased at having "lost" all of her A level coursework etc, but she's a very happy bunny again now !)

Re: West Yorkshire Police Virus

I have been reading the thread with horror, as I work in my office here, knowing what awaits me at home. My home computer was infected with this virus, and it is a (German splash start up page after the log on screen) variant. Yes, encryption has taken place on alot of the files, I just finished finding a rescue disk to startup my computer from and get the restoration process going.

Glitton, a summarized explanation of what steps you followed would do the world of good to someone who has almost 20 years of photographs and videos from the family on the verge of meeting the electronic afterlife.

Good news -- feeding that into matsnu1decrypt.exe was enough for it to decrypt all 300-odd affected files. (my daughter wasn't best pleased at having "lost" all of her A level coursework etc, but she's a very happy bunny again now !)

Re: West Yorkshire Police Virus

Thanks, nit2k. I'm sure there are (or will be) others who appreciate that advice.

The authors haven't gone for anything complicated, then. The same decryption works for all the fles. They could so easily have made it a lot more difficult ...

The info from Dr.Web that made it clear to me:

---x---

This trojan uses RC4 encryption and derives encryption key from md5 hash of random string with fixed prefix. It doesn't store decryption key on the PC after encryption. You just have to find original file. May be you have encrypted manual, original of which can be downloaded, or some encrypted photo which still preserved on the camera's memory stick, or might be binary files of some software were encrypted and you can find original installer of that software - anything will do.

Re: West Yorkshire Police Virus

This fix totally worked and my files are getting decrypted now! Thank you so much everyone for the help!

Of course, I am being sure to save all my stuff in FOUR different places now and it seems I have to keep my system harddrives as blank as possible in case this ever happens again, I fear this stuff is only going to get more complex and difficult to stop.

One last thing, once it decrypts, it seems to leave the locked file behind, so I am having to delete the locked files manually so my HD doesn't fill up whilst it is essentially "doubling" the space, is there a fix to eliminate the locked files automatically, or am I being greedy?